Transcript T1-10_Walberg_Expose VoIP problems with Wireshark

Exposing VoIP problems
with Wireshark
April 2, 2008
Sean Walberg
Network Guy | Canwest
SHARKFEST '08
Foothill College
March 31 - April 2, 2008
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Voice is just another application
Without tools, VoIP is a black box
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Wireshark has tools to analyze VoIP
The Agenda
1.
Capturing VoIP traffic
2.
Using the basic Wireshark tools
3.
Digging into the signaling traffic
4.
Analyzing the RTP traffic
About you
About me
1. Capture
the VoIP
traffic
Location, Location, Location
Just a simple network
The signaling traffic takes a different
path from the RTP traffic
Voice
Signaling
Or, it might do this
Voice
Signaling
Same conversation, different
perspectives
Here you see B – A jitter,
but not A - B
Here you see A – B jitter,
but not B - A
NAT changes the address
Src=C
Dst=D
Src=A
Dst=B
The address changes
within the cloud!
Set your capture filters
By the way…
If the signaling or the voice is encrypted,
you won’t be able to decode it.
Sorry.
2. Use the
basic tools
The Packet List window
Summaries are displayed here
Quality of Service for VoIP networks
Add a column for DSCP
Signaling
Tagged RTP
Untagged
RTP
Insert -> Preferences
User Interface->Columns
Use color to show QoS problems
View -> Coloring Rules
Are you running a proprietary PBX?
Edit -> Properties, Protocols -> RTP
Use the Packet Details pane to see
what’s inside the packet
3. Dig into
the
signaling
traffic
Signaling protocols

SIP (from the IETF)

H.323 (from the ITU)

MGCP

IAX

SS7 (Telco)

GSM (Telco/Cell)

SCCP (Cisco Skinny)

Vendor specific
The role of signaling

Indicate to the remote end that a call is coming

Establish the codec to be used for voice

Establish the addresses of the endpoints

Get out of the way

Tear down the connection once it’s done
The 10,000 foot view of SIP
Statistics -> SIP
Demo – VoIP Call Statistics
4. Analyze
the RTP
traffic
The properties of RTP

RTP simulates the real time voice normally carried
over a wire

4KHz voice bandwidth = 8KHz sampling rate (Nyquist)

8 bits/sample * 8KHz = 64,000bps (DS0)

A Codec (G.711u/A law, G.729, G.726, etc)

Most codecs use 20ms voice samples = 50pps

Even with compression, you have a fairly consistent
packet rate, only the size changes
Three factors that affect voice quality
Latency <= 150ms (one way)
Jitter <= 20ms
Packet loss <= 0.1%
Latency <= 150ms (one way)
Jitter buffer,
Transcoding
delay
Path delay
Serialization
delay
Hi, how are you?
Hello? Oops, sorry, go ahead
Fine, I oh hello, go ahead
Packet Loss <= 0.1%
Hi Bo *POP* How *POP*e you?
Hi Bo
How
you?
Jitter <= 20ms
Better late than never? No.
Demo – RTP Statistics
Optional – IO Statistics
Optional – Other things you can do to
monitor VoIP
That’s it!
I’m [email protected]
Links related to this talk:
http://del.icio.us/seanw/sharkfest08